[30613] in cryptography@c2.net mail archive
Re: Interesting bit of a quote
daemon@ATHENA.MIT.EDU (dan@geer.org)
Wed Jul 12 09:40:45 2006
X-Original-To: cryptography@metzdowd.com
X-Original-To: cryptography@metzdowd.com
From: dan@geer.org
To: David Wagner <daw@cs.berkeley.edu>
Cc: dan@geer.org, cryptography@metzdowd.com
In-Reply-To: Your message of "Tue, 11 Jul 2006 17:50:06 PDT."
<200607120050.k6C0o6Su026853@taverner.cs.berkeley.edu>
Date: Tue, 11 Jul 2006 21:08:14 -0400
David Wagner writes:
-+------------------
| dan@geer.com writes:
| >I can corroborate the quote in that much of SarbOx and
| >other recent regs very nearly have a guilty unless proven
| >innocent quality, that banks (especially) and others are
| >called upon to prove a negative: X {could,did} not happen.
| >California SB1386 roughly says the same thing: If you cannot
| >prove that personal information was not spilled, then you
| >have to act as if it was.
|
| No, it doesn't. I think you've got it backwards. That's not what SB1386
| says. SB1386 says that if a company conducts business in Caliornia and
| has a system that includes personal information stored in unencrypted from
| and if that company discovers or is notified of a breach of the security
| that system, then the company must notify any California resident whose
| unencrypted personal information was, or is reasonably believed to have
| been, acquired by an unauthorized person. [*]
| <snip>
Been with a reasonable number of General Counsels
on this sort of thing. Maybe you can blame them
and not SB1386 for saying that if you cannot prove
the data didn't spill then it is better corporate
risk management to act as if it did spill. All I know
is that the GCs, or for that matter the newspapers,
are full of stories about, say, buying credit-watch
services for everyone who could conceivably be at
any non-zero risk. "Conceivably at non-zero risk"
maps to "prove a negative" at least as I mean it here.
This may be, in other words, de facto versus de jure
and your interpretation may be the correct one. It
doesn't seem so to me, but YMMV.
And, yes, SarbOx is worse.
--dan
---------------------------------------------------------------------
The Cryptography Mailing List
Unsubscribe by sending "unsubscribe cryptography" to majordomo@metzdowd.com
